The recent announcement by the Obama administration to advance the National Strategy for Trusted Identities in Cyberspace (NSTIC) focuses a conversation on a critical topic. Digital identities are used by an increasing percentage of the United States’ (US) and global population as part of our daily routines in conducting modern life. Trusted identities are a fundamental requirement to do this. In much the same way as transportation systems, communications and electricity provide critical components of our national infrastructure and economic development and the measurement of the potential utility we have as individuals and a society so very importantly now does identity infrastructure. The NSTIC effort recognizes that identity is a 21st century utility and the need for it to be reliable, widely available and that it is critical to the US to continue to play a role as world leader.
In this regard the NSTIC put at the center of its policy goals user control and choice and a public private partnership in order to accomplish this. In order to do this it looks to define an identity ecosystem. While IDmachines may differ over the language (a preference for use cases to define infrastructure and applications) it does believe that a process to understand the stakeholders matters. The outreach last year provided an opportunity to those who desired a voice in the process to contribute to the conversation via its draft of the strategy and a public on-line forum (that was at this link but since taken down); proper steps to take in building the partnership envisioned.
As part of the process the White House has designated the Department of Commerce and identified the National Institute of Standards and Technology (NIST) as the governmental organization to lead the effort. This makes a lot of sense given existing NIST standards for identity verification and numerous other standards and special publications around computer and network security. In doing so it is expected that NIST will continue to follow its track record of reaching out to industry and other organizations and provide standards based solutions and important guidance.
This is not new ground and there are a number of organizations and existing efforts that can be leveraged. There is a requirement for the NSTIC to establish the current state of affairs. In doing so it can look to work that was done last year by the European Commission Joint Research Centre Institute for Prospective Technological Studies and their document “The State of the Electronic Identity Market: Technology, Infrastructure, Services and Policies”. It is one take on the identity ecosystem and a good one.
Perhaps because of their geographic reality the EU has to develop policy that takes into account the needs of federation. And while NSTIC doesn’t have to deal with federation among countries the underlying requirement for federation is a basis for trust and this is at the center of the NSTIC (at least the middle of the acronym). The EU report attempts to lay out the socio-economic impacts of identity, it points out that the market for eID (sic) is immature and that work needs to be done to “build identification and authentication systems that people can live with, trust and use.” This is completely on target with what the NSTIC is trying to accomplish.
Also in its preface the EU report points out the fact that identity is converted into credentials for access to services. This completely maps to the Federal CIO Council activities around Identity, Credential and Access Management (ICAM) . These efforts have built on the work done by NIST and Federal Information Processing Standard 201 (FIPS 201). These efforts have lead to a framework for interoperability called Personal Identity Verification Interoperability (PIV-I). This framework provides the basis for high assurance multi-purpose identity credentials and best practice for issuing these credentials and establishes a policy for certification of high assurance identity providers to commerce and citizens. PIV-I is becoming widely adopted by industry and supported by the vendor community. At lower assurance levels a complementary framework has also been established to foster the adoption and evolution of identity providers called out in the NSTIC vision and also referenced in the EU document.
In a very real sense there is an alignment among organizations pursuing these important goals. This has fostered a number of organizations where collaboration is taking place including the Internet Engineering Task Force, Kantara Initiative, the Open Identity Exchange, the Smart Card Alliance, and the Security Industry Association among others. All of the activities here are working to address the findings in the EU report all of these organizations have either already or will play a role in the NSTIC.
The NSTIC also needs to take into account the substantial body of work that has been created by dedicated individuals in the Internet Identity Workshops (IIW) and the effort to develop a Personal Data Ecosystem (PDE) definition. IIW represents a myriad of related and important identity activities. The user centric views expressed by IIW in the Identity Commons can further inform both the EU and the NSTIC as it moves ahead.
0 comments:
Post a Comment